On 6/20/2011 9:32 AM, Jason Lavoie wrote:
Full Disclosure: I occasionally do this (cross-platform/manufacturer
firewall migrations) for a living.
On 06/20, Altaf Ahmad wrote:
I tried I2J tool but it does not translate the ASA commands to JUNOS. I
am having very big configuration ASA files which consist around 1000 +
Access list entries (ACEs) by using object-group and its really very
hard to manually translate huge number of lines in JUNOS. Is there any
suggestion to for this issue?
We are considering a migration to SRX, and have donen a proof-of-concept
conversion in the lab. It is relatively straightforward to write some
perl to convert access lists from Cisco to Juniper if your object-groups
are consistently structured. The biggest drawback we found is that
Juniper does not support nested address-sets like Cisco does its
object-groups -- we ended up solving that with a commit script on the
Junos side.
Most of the tedious stuff can indeed be automated within the confines of
a sufficiently robust scripting environment. The solutions i've
encountered most frequently are perl-based. I've performed a fair amount
of minor/side tasks via bash shell scripts. A former coworker of mine
once wrote a checkpoint-to-screenos migration utility in VBA(excel).
Juniper has also offered professional services to assist in migrating
the configuration between platforms. We haven't gotten to that point in
the engagement, so I can't comment on that process.
The amount of work required varies from
customer/environment/configuration to customer/environment/configuration.
-j
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
